[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Synful Knock questions...

Subject: Synful Knock questions...
From: jfbeam at gmail.com (Ricky Beam)
Date: Tue, 15 Sep 2015 15:27:47 -0400
In-reply-to: <CAOe-DYAKnZ68zP=NLgFWX-zZ3dGD_32jdO9pZy7k4J1Huour9w@mail.gmail.com>
References: <[email protected]> <CAOe-DYAKnZ68zP=NLgFWX-zZ3dGD_32jdO9pZy7k4J1Huour9w@mail.gmail.com>

On Tue, 15 Sep 2015 14:35:44 -0400, Michael Douglas  
<Michael.Douglas at ieee.org> wrote:
> Does anyone have a sample of a backdoored IOS image?

The IOS image isn't what gets modified. ROMMON is altered to patch IOS  
after decompression before passing control to it.  I don't know WTF  
they're going on and on about "file size". There are many reasons to  
overwrite. The most likely reason the hack does this is because it's  
easier than a dynamic allocation of executable memory. Plus, modifications  
done by ROMMON cannot allocate IOS system memory; their hooks MUST rewrite  
existing code SOMEWHERE.

Again, this is a ROMMON HACK, that doctors the running IOS image IN MEMORY  
before starting IOS.

References:
- Synful Knock questions...
  - From: eric-list at truenet.com (eric-list at truenet.com)
- Synful Knock questions...
  - From: Michael.Douglas at IEEE.org (Michael Douglas)

Prev by Date: Synful Knock questions...
Next by Date: Synful Knock questions...
Previous by thread: Synful Knock questions...
Next by thread: Synful Knock questions...
Index(es):
- Date
- Thread